Determining effectiveness has been on my mind in large part since the release of the Department of Justice’s (DOJ) Evaluation of Corporate Compliance Programs (Evaluation). Obviously the new by-word from the Evaluation is operationalization but a key in determining operationalization is determining your compliance program effectiveness. I put that question to Vincent DiCianni, CEO and founder of Affiliated Monitors and Eric Feldman, SVP of Affiliated Monitors recently.

Feldman began by explaining that you need to consider both outcomes and outputs. Outcomes will show you the results of specific actions, such as investigations and conclusions to them. DiCianni added that the numbers are attractive because they can form a “straight line” about your compliance program is function. Yet DiCianni cautioned the numbers only give you one view of a compliance program. You also need to consider the qualitative side of the equation.

This is where outputs are equally important as the form the qualitative portion of determining compliance program effectiveness. More importantly you cannot conflate the two. Feldman explained that hotline data is good example, so if your number of hotline reports drops dramatically, the company may well believe their compliance program is effective. However, Feldman cautioned this could be a tenuous conclusion “because just as easily one could conclude that your culture has taken a turn for the worse, that employees are afraid of retaliation, they don’t have faith and trust in the anonymity of your hotline system and therefore they’re just not reporting, but things are still going on. In fact, there may be more activity going on”.

Some important consideration are such softer measures as how employees feel about whether the company is committed to a speak-up culture. Feldman noted that by interviewing employees, you can determine if they feel “comfortable going to their managers and if their managers are involved, going to upper level management, Ethics and Compliance Office, or a corporate reporting hotline if and when they see misconduct, or do they mind their own business and look the other way because they’re afraid something will happen to them?” The best way to make that determine is through in person interviews.

Another key way to determine if you have a effective compliance program is to see if there is a correlation about what a company says on paper on its vision, mission and values around compliance. Here a key metric is performance incentives, bonuses, promotions and assignments. Feldman explained you must ascertain if the financial packages are based solely on hitting your numbers “or are there elements that balance out the financial measures with ethical measures, integrity measures. For example, is a manager is effectively disseminating the ethics message and building an ethical culture in his or her work group and are they rated on that in a performance appraisal, that should be part of their bonus system.”

One valuable resource to assist the compliance practitioner in this task is entitled “Measuring Compliance Program Effectiveness: A Resource Guide, and was issued by the Health Care Compliance Association (HCCA) and the Department of Health and Human Services, Office of Inspector General (OIG) in March 2017. Although it was publicly released after the Justice Department Evaluation, it was drafted prior to that document’s release and hence did not have the benefit of the DOJ’s thinking on measuring compliance program effectiveness.

The document is an excellent resource on not only “what to measure” but equally important “how to measure” the seven elements of a compliance program as detailed in the US Sentencing Guidelines. While the focus is towards the health care industry, the concepts are broad enough for any industry or compliance practitioner to use to determine the effectiveness of their compliance program. Did I mention the cost – it is available at no charge on the OIG website.

Once again, although focused on health care compliance, the Resource Guide is practical for the non-health care compliance professional. Further, it ties into many of the concepts articulated in the Evaluation. For example, in the Evaluation, Prong 2. Senior and Middle Management, the following questions appear under the heading Oversight – What compliance expertise has been available on the board of directors? Have the board of directors and/or external auditors held executive or private sessions with the compliance and control functions? What types of information have the board of directors and senior management examined in their exercise of oversight in the area in which the misconduct occurred? 

In the Resource Guide, the following appears under Element 2: Compliance Program Administration, Board of Directors:

  What to Measure How to Measure
2.1 Active Board of Directors · Review minutes of meetings where Compliance Officer reports in‐person to the Audit and Compliance Committee of the Board of Directors on a quarterly basis

· Conduct inventory of reports given to board and applicable committees.

2.2 Board understanding and oversight of their responsibilities · Review of training and responsibilities as reflected in meeting minutes and other documents (training materials, newsletters, etc.). Do minutes reflect board’s understanding?

· Review/audit board education – how often is it conducted? Conduct interviews to assess board understanding.

2.3 Appropriate escalation to oversight body · Review minutes/checklist in compliance officer files
2.4 Commitment from top · Review compliance program resources (budget, staff).

· Review documentation to ensure staff, board and management are actively involved in the program.

· Conduct interviews of board, management and staff.

2.5 Process for escalation and accountability Process review (document review, interviews, etc.). Is there timely reporting and resolution of matters?

In the Evaluation under Prong 3. Autonomy and Resources, the following questions appear under the heading Funding and ResourcesHow have decisions been made about the allocation of personnel and resources for the compliance and relevant control functions in light of the company’s risk profile? Have there been times when requests for resources by the compliance and relevant control functions have been denied? If so, how have those decisions been made?

Under Element 2 in the Resource Guide, in the section entitled “Compliance Budget”, the following appears:

  What to Measure How to Measure
2.6 Appropriate oversight of budget Review charter of governing body (Board) to verify it includes approval of compliance budget
2.7 Budget is based on an assessment of risk and program improvement/effectiveness Is the Board’s approval of the budget based on identified risks and effectiveness evaluation/program improvement?
2.8 Sufficient compliance program resources (budget, staffing) Review budget and staffing to ensure significant risks are managed appropriately

These are a just couple of examples of how a compliance professional can begin to think through the questions laid out by the DOJ in its Evaluation. Moreover, by using the Resource Guide, you will be able to more fully determine the operationalization of your compliance program. The stated purpose is to give compliance professionals “as many ideas as possible, be broad enough to help any type of organization, and let the organization choose which ones best suit its needs.” Yet it is decidedly not a checklist but rather allows any Chief Compliance Officer (CCO) to assess the effectiveness (and operationalization) of their program.

It also allows the tailoring and measurement of how you manage your company’s risks. As the Resource Guide states, “The frequency of use of any measurement should be based on the organization’s risk areas, size, resources, industry segment, etc. Each organization’s compliance program and effectiveness measurement process will be different.”

DiCianni concluded by emphasizing the need for both a quantitative and qualitative approach to measuring compliance program effectiveness. Numbers are important but they only tell part of the equation. He stated, “Both are very important, but I think without having consideration of both sides of the equation, I do not will obtain a full understanding of how effective compliance program is in its operation.”

Three Key Takeaways

  1. You should test your compliance program effectiveness through both a qualitative and quantitative approach.
  2. Bring in an outside party to interview your employees.
  3. The HCCA/OIG Guide is an excellent resource to consider compliance program effectiveness.

 

For more information on how an independent monitor can help improve your company’s ethics and compliance program, visit this month’s sponsor Affiliated Monitors at www.affiliatedmonitors.com.

I continue my discussion of continuous improvement using big data in a best practices compliance program, with some thoughts on how to use it going forward. In an eBook, entitled “Planning for Big Data – A CIO’s Handbook to the Changing Data Landscape, by the O’Reilly Radar Team, featured a chapter by Alistair Croll, entitled “The Feedback Economy which informs today’s discussion. 

Croll believes that big data will allow continuous improvement through the “feedback economy”. This is a step beyond the information economy because you are using the information that you have generated and collected as a source of information to guide you going forward. Information itself is not the greatest advantage but using that information to prevent, detect and remediate in a compliance program is going forward.

Croll draws on military theory to illustrate his concept of a feedback loop. It is the OODA loop, which stands for observe, orient, decide and act. This comes from military strategist John Boyd who realized that combat “consisted of observing your circumstances, orienting yourself to your enemy’s way of thinking and your environment, deciding on a course of action and then acting on it.” Croll believes that the success of OODA is in large part “the fact it’s a loop” so that the results of “earlier actions feedback into later, hopefully wiser, ones.” This should allow combatants to “get inside their opponent’s loop, outsmarting and outmaneuvering them” because the system itself learns. For the Chief Compliance Officer (CCO) or compliance practitioner this means that if your compliance program is able to collect and analyze information better, you can act on that information faster.

Croll believes one of the greatest impediments to using this OODA feedback loop is the surplus of noise in our data; that “We need to capture and analyze it well, separating the digital wheat from the digital chaff, identifying meaningful undercurrents while ignoring meaningless flotsam. To do this we need to move to more robust system to put the data into a more usable format.” Croll moves through each of the steps in how a company collects, analyzes and acts on data.

The first step is data collection where the challenge is both the sheer amount of data coming in and its size. Once the data comes in it must be ingested and cleaned. If it comes into your organization in an unstructured format, you will need to cut it up and put into the correct database format for use. Croll touches on the storage component of where you place the data, whether in servers or on the cloud.

A key insight from Croll is the issue of platforms, which are the frameworks used to crunch large amounts of data more quickly. His key insight is to break up the data “into chunks that can be analyzed in parallel” so the data can be considered and acted upon more quickly. Another technique he considers is “to build a pipeline of processing steps, each optimized for a particular task.”

Another important component is machine learning and its importance in the data supply chain. Croll observes, “we’re trying to find signal within the noise, to discern patterns. Humans can’t find signals well by themselves. Just as astronomers use algorithms to scan the night’s sky for signals, then verify any promising anomalies themselves, so too can data analysts use machine learning to find interesting dimensions, groupings or patterns within the data. Machines can work at a lower signal-to-noise ratio than people.”

Yet Croll correctly notes that as important as machine learning is in big data collection and analysis, there is “no substitute for human eyes and ears.” Yet for many CCOs or compliance practitioners, displaying the data is most difficult because it is not generally in a readable form. To say lawyers are not as proficient as other corporate types in excel or similar tools would be to state the obvious, yet that is about as sophisticated as many practitioners can get. It is important to portray the data in more visual style to help convey the “dozens of independent data sources” into navigable 3D environments.

Of course having all this data is of zero use unless you act on it. Big data can be used in a wide variety of decision making, from employment decisions around hiring and firing decision, to strategic planning, to risk management and compliance programs. But it does take a shift in compliance thinking to use such data. Once again lawyers are particularly ill suited to consider such information for reasons as diverse as training and temperament. This is yet another reason why compliance has evolved to Compliance 2.0, Compliance 3.0 and beyond. Big data allows you to make a quicker assessment of the impact of measured risks. It advocates “fast, iterative learning.”

Croll ends his chapter by noting that the “big data supply chain is the organizational OODA loop.” But unlike the OODA loop, it is more than simply about the loop and plugging information as you move through it. He believes “big data is mostly about feedback”; that is, obtaining the impact of the risks you have accepted. For this to work in compliance, a company’s compliance discipline needs to both understand and “choose a course of action based upon the results, then observe what happens and use that information to collect new data or analyze things in a different way. It’s a process of continuous optimization”.

The three prongs of any best practices compliance program are prevent, detect and remedy. Whether you consider the OODA loop or the big data supply chain feedback, this process, coupled with the data that is available to you should facilitate a more agile and directed compliance program. The feedback components in both processes allow you to make adjustments literally on the fly. If that does not meet the definition of continuous improvement, I do not know what does.

Three Key Takeaways

  1. Use big data to continuously improve your compliance program.
  2. The OODA Loop is an excellent way to think about using data to continuously improvement.
  3. Always remember the human (IE., CCO) element.

For more information on how an independent monitor can help improve your company’s ethics and compliance program, visit this month’s sponsor Affiliated Monitors at www.affiliatedmonitors.com.

In this episode, I explore why Wells Fargo needs a true compliance expert on its Board of Directors. The Wells Fargo Board needs someone with compliance expertise to oversee of the role of the Chief Compliance Officer (CCO) and the bank’s compliance function which clearly was not up to the task of preventing illegal or even unethical conduct. With Board oversight of compliance, the senior executives provide the Board with a certain level of information and reporting which is an outcome of how senior management and the C-Suite has defined the compliance risk appetite.

My plea to the company is to hire someone with direct compliance experience for this final seat on the Board of Directors. While some Directors has experience in the regulatory world is very different from experience in the compliance realm which focuses on the mission, vision and values of a corporation through the tripartite process of prevent, detect and remediate. In addition to getting its regulatory house in order, Wells Fargo has one very large culture problem which needs compliance expertise. Even for a former Bank president, the issue of compliance is at the absolute forefront of Wells Fargo’s miasma.

In this very topical episode Matt Kelly and I take a deep dive into the administration’s response to the events over the weekend in Charlottesville and what it means for business leaders, compliance practitioners and others going forward. With the resignation of Ken Fraizer, CEO of Merck and multiple others from the administration’s voluntary business counsel, due to the Trump’s embrace of the alt-right and white supremacy, many CEO’s are asking the question “Where’s the upside” to publicly associating with the administration. From the compliance perspective, we explore the question in the context of a corporation’s ethical values, it business mission and statement for its employees and customers. Finally, we consider the documented ‘Trump Risk’ and how it is negatively impacting US businesses across the globe.

For more see Matt’ Blog post, Trump Tests Corporate America’s Commitment to Values on RadicalCompliance.com

In 2015, the Securities and Exchange Commission (SEC) announced resolution of a Foreign Corrupt Practices Act (FCPA) enforcement action involving the Hitachi Ltd (Hitachi). There were several interesting aspects to this enforcement action and plenty of lessons to be learned by the compliance practitioner going forward. This enforcement action also presented one of the clearest cases for keeping track of current events for continuous improvement I have seen.

Perhaps the most interesting aspect of the Hitachi matter is that it involved bribery of a political party, the African National Congress (ANC). This portion of the enforcement action stands as a stark reminder that political parties are covered by the FCPA just the same as government officials. The FCPA Guidance states: “The FCPA’s anti-bribery provisions apply to corrupt payments made to (1) “any foreign official”; (2) “any foreign political party or official thereof ”; (3) “any candidate for foreign political office”; or (4) any person, while knowing that all or a portion of the payment will be offered, given, or promised to an individual falling within one of these three categories.” Although the statute distinguishes between a “foreign official,” “foreign political party or official thereof,” and “candidate for foreign political office,” the term “foreign official” in this guide generally refers to an individual falling within any of these three categories.

The bribery schemes themselves were notable only for their blantantness. Andrew J. Ceresney, Director of the SEC’s Enforcement Division, said in the SEC Press Release “Hitachi’s lax internal control environment enabled its subsidiary to pay millions of dollars to a politically-connected front company for the ANC to win contracts with the South African government. Hitachi then unlawfully mischaracterized those payments in its books and records as consulting fees and other legitimate payments.” Moreover, according to the Complaint:

  • Hitachi was aware that Chancellor House Holdings (Pty) Ltd. was a funding vehicle for the ANC during the bidding process.
  • Hitachi nevertheless continued to partner with Chancellor and encourage the company to use its political influence to help obtain government contracts from Eskom Holdings SOC Ltd., a public utility owned and operated by the South African government.
  • Hitachi paid “success fees” to Chancellor for its exertion of influence during the Eskom tender process pursuant to a separate, unsigned side-arrangement.

The enforcement action does point up the oft-times difficulty in providing corporate social responsibility and distinguishing it from outright corruption in certain countries. As noted in an article in the Wall Street Journal businesses “operating in South Africa are encouraged to take on black business partners under the ANC’s policy of black economic empowerment (BEE), intended to redress economic imbalances created by apartheid.” Yet, critics claim that there is a “blurred line between business and politics in the awarding of state tenders” in South Africa. However, the ANC front group was charged “only approximately $190, 819 stake which returned to it over $5MM in “dividends” and another $1MM in a “success fee” for contracts to Hitachi worth “about $5.6bn.”

This case demonstrates the need for a CCO to keep track of current events. It does not mean you must read the biggest newspapers on a daily basis, although that certainly would help. You must rely on your business folks on the ground to keep track in the changes of personnel of joint ventures or other local partnerships. Moreover, there are several automated due diligence services which literally provide daily updates on a wide variety of persons and individuals who might change positions in a government or move from the public sector to the private sector or back.

In many under-developed countries, there is a relatively small group of well-educated technocrats who move back and forth from the government to the private sector and back. They are also often involved in political parties. So today’s private might be tomorrow’s Politically Exposed Person (PEP) or indeed may have been yesterday’s PEP. This requires you to navigate carefully as these are most usually jurisdictions which are high-risk for corruption.

For the compliance practitioner, the Hitachi SEC enforcement action provides a valuable reminder that the FCPA covers more than foreign government officials and officials of state owned enterprises. Political parties are also covered so that if part of your corporate social responsibility includes payments to political party front groups, your company could get into FCPA hot water. Yet it also means you will need to keep abreast of just who your counter-parties during the entire course of your commercial relationship. This means keeping up with current events is a must and can facilitate continuous improvement.

Three Key Takeaways

  1. The Hitachi FCPA enforcement action demonstrates the need to keep track of current events for continuous improvement.
  2. Many product and services providers in the compliance space provide ongoing monitoring for PEPs and SDNs.
  3. Make sure your partners are still who they say they are!

 

For more information on how an independent monitor can help improve your company’s ethics and compliance program, visit this month’s sponsor Affiliated Monitors at www.affiliatedmonitors.com.